Configuring using Azure AD premium license
To audit your Azure AD environment using an Azure AD Premium license, ADAudit Plus uses the Microsoft Graph API to obtain events from Azure AD.
Privileges required while using Microsoft Graph API
- Application.Read.All
- AuditLog.Read.All
- Directory.Read.All
- IdentityRiskEvent.Read.All
- Group.Read.All
- User.Read.All
Register an application
Register an application in the Azure portal, using these steps:
- Go to the Azure portal, and sign in using your Microsoft account.
- Select Azure Active Directory from the Azure services section.
- Go to Manage > App registrations > + New registration to open the Register an application window.
- Enter the application name, for example, ADAudit Plus Application.
- Ensure that Accounts in this organizational directory only (zohoadapazure only - Single tenant) is selected under Supported account types.
- Click Register.
Grant minimum privileges required for Microsoft Graph API
To grant the necessary privileges using Microsoft Graph API:
- Go to the Azure portal, and sign in using your Microsoft account.
- Select Azure Active Directory from the Azure services section.
- Go to Manage > App registrations. Select your application under Owned applications.
- Go to Manage > API permissions and select + Add a permission.
- Select Microsoft Graph. Click Application permissions as the type of permission required.
- From the listing, select the following:
- Application.Read.All
- AuditLog.Read.All
- Directory.Read.All
- IdentityRiskEvent.Read.All
- Group.Read.All
- User.Read.All
- Click Add permissions.
- Select Grant admin consent for <tenantname >
- Click Yes.
Obtain client ID and client secret
- Go to the Azure portal, and sign in using your Microsoft account.
- Select Azure Active Directory service from the Azure services section.
- Go to Manage > App registrations. Select your application under Owned applications.
- Go to Manage > Certificates & secrets.
- Click + New client secret.
- Enter the description.
- Choose 24 Months as the expiration date; this is the maximum value that can be used.
- Click Add.
- Copy the client secret value (e.g., "14uCILxkHtIVGR3wkCq12341Nd5VtestkkWTyIPrrE=")
- Go to Manage > App registrations. Select your application under Owned Applications.
- Navigate to Application (Client ID) and click Copy to clipboard.
Setting up Azure AD in ADAudit Plus
- Open the ADAudit Plus web console.
- Go to Configuration > Configured Server(s) > Cloud Directory.
- Select +Add Tenant in the top-right corner.
- Select Audit via Azure.
- In the Cloud Directory window, choose the Cloud Type based on the national cloud points from the list below:
- Azure AD global service (Azure Cloud - Default)
- Azure AD for US Government L4 (Azure GCC High Cloud)
- Azure AD for US Government L5 (Azure DOD Cloud)
- Azure AD China operated by 21Vianet (Azure China Cloud)
- Azure AD for Germany (Azure Germany Cloud)
- Enter the Tenant Name, Client ID, and Client Secret.
Note: To obtain the tenant name:
- Go to the Azure portal, and sign in using your Microsoft account.
- Search for and select Microsoft Entra ID.
- Go to Manage > Custom domain names.
- Click Add filter, under Filter, select Primary from the dropdown, and under Value, select Yes from the dropdown.
- Copy the name of the primary domain that is displayed and paste it in the Tenant Name field.
- Click Add.
Privileges required while using Azure AD Graph API
The use of Azure AD Graph API is deprecated. Instead, it's strongly recommended you use the Microsoft Graph API to audit your Azure AD.
For more details on why Azure AD graph API was deprecated, check the FAQ.
Check if you are using Azure AD Graph API and, if so, migrate using these steps:
- Open the ADAudit Plus web console.
- Go to Configuration > Configured Server(s) > Cloud Directory.
- In the top-right corner, if the Migrate to Microsoft Graph API button is available, then Azure Active Directory Graph API is in use.
- If the Back to Azure AD Graph API button is available, then Microsoft Graph API is in use.
- Migrate to Microsoft Graph API from Azure AD Graph API by clicking Migrate to Microsoft Graph API at the top-right corner.
- Click Yes in the confirmation prompt.
Note: Once you have migrated to Microsoft Graph API, add the necessary minimum privileges using the steps listed
here.
If you still want to use Azure AD Graph API, you can find the privileges required below:
Don't see what you're looking for?
-
Visit our community
Post your questions in the forum.
-
Request additional resources
Send us your requirements.
-
Need implementation assistance?
Try onboarding